From 23ec6bacc9a992a4e2e1eb9aeff8a61dcfb60bfc Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Mon, 2 Jun 2025 23:56:29 +0200 Subject: [PATCH] [PM-20225] Prevent legacy users without userkey from logging in (#14267) * Prevent legacy users without userkey from logging in * Remove further web-migration code for legacy users * Add i18n for legacy user error message * Update comment * Remove migrate legacy component * Remove i18n messages * Remove migrate legacy encryption reference --- apps/browser/src/_locales/en/messages.json | 4 +- apps/cli/src/auth/commands/login.command.ts | 6 +- apps/cli/src/locales/en/messages.json | 3 + apps/cli/src/program.ts | 1 + apps/desktop/src/locales/en/messages.json | 4 +- .../core/services/two-factor-auth/index.ts | 1 - .../web-two-factor-auth-component.service.ts | 14 --- apps/web/src/app/core/core.module.ts | 8 -- .../migrate-legacy-encryption.component.html | 36 ------- .../migrate-legacy-encryption.component.ts | 100 ------------------ apps/web/src/app/oss-routing.module.ts | 7 -- apps/web/src/locales/en/messages.json | 18 +--- .../src/auth/guards/lock.guard.spec.ts | 13 --- libs/angular/src/auth/guards/lock.guard.ts | 8 -- .../auth/src/angular/login/login.component.ts | 16 ++- ...fault-two-factor-auth-component.service.ts | 5 - .../two-factor-auth-component.service.ts | 19 ---- .../two-factor-auth.component.ts | 21 +--- .../common/login-strategies/login.strategy.ts | 8 +- 19 files changed, 27 insertions(+), 265 deletions(-) delete mode 100644 apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts delete mode 100644 apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html delete mode 100644 apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts diff --git a/apps/browser/src/_locales/en/messages.json b/apps/browser/src/_locales/en/messages.json index 29223942fd6..68f303dd538 100644 --- a/apps/browser/src/_locales/en/messages.json +++ b/apps/browser/src/_locales/en/messages.json @@ -1365,8 +1365,8 @@ "featureUnavailable": { "message": "Feature unavailable" }, - "encryptionKeyMigrationRequired": { - "message": "Encryption key migration required. Please login through the web vault to update your encryption key." + "legacyEncryptionUnsupported": { + "message": "Legacy encryption is no longer supported. Please contact support to recover your account." }, "premiumMembership": { "message": "Premium membership" diff --git a/apps/cli/src/auth/commands/login.command.ts b/apps/cli/src/auth/commands/login.command.ts index cd5c8ef9bcd..a8e525e2206 100644 --- a/apps/cli/src/auth/commands/login.command.ts +++ b/apps/cli/src/auth/commands/login.command.ts @@ -34,6 +34,7 @@ import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/a import { KeyConnectorService } from "@bitwarden/common/key-management/key-connector/abstractions/key-connector.service"; import { MasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction"; import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service"; +import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; import { Utils } from "@bitwarden/common/platform/misc/utils"; import { EncString } from "@bitwarden/common/platform/models/domain/enc-string"; @@ -77,6 +78,7 @@ export class LoginCommand { protected logoutCallback: () => Promise, protected kdfConfigService: KdfConfigService, protected ssoUrlService: SsoUrlService, + protected i18nService: I18nService, protected masterPasswordService: MasterPasswordServiceAbstraction, ) {} @@ -227,9 +229,7 @@ export class LoginCommand { ); } if (response.requiresEncryptionKeyMigration) { - return Response.error( - "Encryption key migration required. Please login through the web vault to update your encryption key.", - ); + return Response.error(this.i18nService.t("legacyEncryptionUnsupported")); } if (response.requiresTwoFactor) { const twoFactorProviders = await this.twoFactorService.getSupportedProviders(null); diff --git a/apps/cli/src/locales/en/messages.json b/apps/cli/src/locales/en/messages.json index 9149e25c5bc..815939c0c95 100644 --- a/apps/cli/src/locales/en/messages.json +++ b/apps/cli/src/locales/en/messages.json @@ -185,6 +185,9 @@ } } }, + "legacyEncryptionUnsupported": { + "message": "Legacy encryption is no longer supported. Please contact support to recover your account." + }, "organizationUsingKeyConnectorOptInLoggedOut": { "message": "An organization you are a member of is using Key Connector. In order to access the vault, you must opt-in to Key Connector now via the web vault. You have been logged out." }, diff --git a/apps/cli/src/program.ts b/apps/cli/src/program.ts index e7e25d66343..468901282b4 100644 --- a/apps/cli/src/program.ts +++ b/apps/cli/src/program.ts @@ -175,6 +175,7 @@ export class Program extends BaseProgram { async () => await this.serviceContainer.logout(), this.serviceContainer.kdfConfigService, this.serviceContainer.ssoUrlService, + this.serviceContainer.i18nService, this.serviceContainer.masterPasswordService, ); const response = await command.run(email, password, options); diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json index 9d668d464ae..0cc466196fb 100644 --- a/apps/desktop/src/locales/en/messages.json +++ b/apps/desktop/src/locales/en/messages.json @@ -691,8 +691,8 @@ "maxFileSize": { "message": "Maximum file size is 500 MB." }, - "encryptionKeyMigrationRequired": { - "message": "Encryption key migration required. Please login through the web vault to update your encryption key." + "legacyEncryptionUnsupported": { + "message": "Legacy encryption is no longer supported. Please contact support to recover your account." }, "editedFolder": { "message": "Folder saved" diff --git a/apps/web/src/app/auth/core/services/two-factor-auth/index.ts b/apps/web/src/app/auth/core/services/two-factor-auth/index.ts index ba2697fdee4..4ca57b34737 100644 --- a/apps/web/src/app/auth/core/services/two-factor-auth/index.ts +++ b/apps/web/src/app/auth/core/services/two-factor-auth/index.ts @@ -1,2 +1 @@ -export * from "./web-two-factor-auth-component.service"; export * from "./web-two-factor-auth-duo-component.service"; diff --git a/apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts b/apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts deleted file mode 100644 index 451cec57ddd..00000000000 --- a/apps/web/src/app/auth/core/services/two-factor-auth/web-two-factor-auth-component.service.ts +++ /dev/null @@ -1,14 +0,0 @@ -import { - DefaultTwoFactorAuthComponentService, - TwoFactorAuthComponentService, - LegacyKeyMigrationAction, -} from "@bitwarden/auth/angular"; - -export class WebTwoFactorAuthComponentService - extends DefaultTwoFactorAuthComponentService - implements TwoFactorAuthComponentService -{ - override determineLegacyKeyMigrationAction(): LegacyKeyMigrationAction { - return LegacyKeyMigrationAction.NAVIGATE_TO_MIGRATION_COMPONENT; - } -} diff --git a/apps/web/src/app/core/core.module.ts b/apps/web/src/app/core/core.module.ts index e812edd8f32..46435981a5e 100644 --- a/apps/web/src/app/core/core.module.ts +++ b/apps/web/src/app/core/core.module.ts @@ -32,7 +32,6 @@ import { SetPasswordJitService, SsoComponentService, LoginDecryptionOptionsService, - TwoFactorAuthComponentService, TwoFactorAuthDuoComponentService, ChangePasswordService, } from "@bitwarden/auth/angular"; @@ -116,7 +115,6 @@ import { WebRegistrationFinishService, WebLoginComponentService, WebLoginDecryptionOptionsService, - WebTwoFactorAuthComponentService, WebTwoFactorAuthDuoComponentService, LinkSsoService, } from "../auth"; @@ -269,12 +267,6 @@ const safeProviders: SafeProvider[] = [ useClass: WebLockComponentService, deps: [], }), - // TODO: PM-18182 - Refactor component services into lazy loaded modules - safeProvider({ - provide: TwoFactorAuthComponentService, - useClass: WebTwoFactorAuthComponentService, - deps: [], - }), safeProvider({ provide: SetPasswordJitService, useClass: WebSetPasswordJitService, diff --git a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html b/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html deleted file mode 100644 index 7ed1efeb461..00000000000 --- a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.html +++ /dev/null @@ -1,36 +0,0 @@ -
-
-
-

{{ "updateEncryptionKey" | i18n }}

-
-

- {{ "updateEncryptionSchemeDesc" | i18n }} - {{ "learnMore" | i18n }} -

- {{ "updateEncryptionKeyWarning" | i18n }} - - - {{ "masterPass" | i18n }} - - - - -
-
-
-
diff --git a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts b/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts deleted file mode 100644 index f6685a749a2..00000000000 --- a/apps/web/src/app/key-management/migrate-encryption/migrate-legacy-encryption.component.ts +++ /dev/null @@ -1,100 +0,0 @@ -import { Component } from "@angular/core"; -import { FormControl, FormGroup, Validators } from "@angular/forms"; -import { firstValueFrom } from "rxjs"; - -import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; -import { ErrorResponse } from "@bitwarden/common/models/response/error.response"; -import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; -import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; -import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service"; -import { FolderApiServiceAbstraction } from "@bitwarden/common/vault/abstractions/folder/folder-api.service.abstraction"; -import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction"; -import { DialogService, ToastService } from "@bitwarden/components"; -import { KeyService } from "@bitwarden/key-management"; - -import { SharedModule } from "../../shared"; -import { UserKeyRotationModule } from "../key-rotation/user-key-rotation.module"; -import { UserKeyRotationService } from "../key-rotation/user-key-rotation.service"; - -// The master key was originally used to encrypt user data, before the user key was introduced. -// This component is used to migrate from the old encryption scheme to the new one. -@Component({ - imports: [SharedModule, UserKeyRotationModule], - templateUrl: "migrate-legacy-encryption.component.html", -}) -export class MigrateFromLegacyEncryptionComponent { - protected formGroup = new FormGroup({ - masterPassword: new FormControl("", [Validators.required]), - }); - - constructor( - private accountService: AccountService, - private keyRotationService: UserKeyRotationService, - private i18nService: I18nService, - private keyService: KeyService, - private messagingService: MessagingService, - private logService: LogService, - private syncService: SyncService, - private toastService: ToastService, - private dialogService: DialogService, - private folderApiService: FolderApiServiceAbstraction, - ) {} - - submit = async () => { - this.formGroup.markAsTouched(); - - if (this.formGroup.invalid) { - return; - } - - const activeUser = await firstValueFrom(this.accountService.activeAccount$); - if (activeUser == null) { - throw new Error("No active user."); - } - - const hasUserKey = await this.keyService.hasUserKey(activeUser.id); - if (hasUserKey) { - this.messagingService.send("logout"); - throw new Error("User key already exists, cannot migrate legacy encryption."); - } - - const masterPassword = this.formGroup.value.masterPassword!; - - try { - await this.syncService.fullSync(false, true); - - await this.keyRotationService.rotateUserKeyAndEncryptedDataLegacy(masterPassword, activeUser); - - this.toastService.showToast({ - variant: "success", - title: this.i18nService.t("keyUpdated"), - message: this.i18nService.t("logBackInOthersToo"), - timeout: 15000, - }); - this.messagingService.send("logout"); - } catch (e) { - // If the error is due to missing folders, we can delete all folders and try again - if ( - e instanceof ErrorResponse && - e.message === "All existing folders must be included in the rotation." - ) { - const deleteFolders = await this.dialogService.openSimpleDialog({ - type: "warning", - title: { key: "encryptionKeyUpdateCannotProceed" }, - content: { key: "keyUpdateFoldersFailed" }, - acceptButtonText: { key: "ok" }, - cancelButtonText: { key: "cancel" }, - }); - - if (deleteFolders) { - await this.folderApiService.deleteAll(activeUser.id); - await this.syncService.fullSync(true, true); - await this.submit(); - return; - } - } - this.logService.error(e); - throw e; - } - }; -} diff --git a/apps/web/src/app/oss-routing.module.ts b/apps/web/src/app/oss-routing.module.ts index 0d6ffb88ad6..6a7cc51d3ba 100644 --- a/apps/web/src/app/oss-routing.module.ts +++ b/apps/web/src/app/oss-routing.module.ts @@ -151,13 +151,6 @@ const routes: Routes = [ canActivate: [authGuard], data: { titleId: "updatePassword" } satisfies RouteDataProperties, }, - { - path: "migrate-legacy-encryption", - loadComponent: () => - import("./key-management/migrate-encryption/migrate-legacy-encryption.component").then( - (mod) => mod.MigrateFromLegacyEncryptionComponent, - ), - }, ], }, { diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json index e1a2d3cbef2..a217b38e650 100644 --- a/apps/web/src/locales/en/messages.json +++ b/apps/web/src/locales/en/messages.json @@ -4473,9 +4473,6 @@ } } }, - "encryptionKeyUpdateCannotProceed": { - "message": "Encryption key update cannot proceed" - }, "editFieldLabel": { "message": "Edit $LABEL$", "placeholders": { @@ -4528,24 +4525,15 @@ } } }, - "keyUpdateFoldersFailed": { - "message": "When updating your encryption key, your folders could not be decrypted. To continue with the update, your folders must be deleted. No vault items will be deleted if you proceed." - }, - "keyUpdated": { - "message": "Key updated" - }, - "updateEncryptionKey": { - "message": "Update encryption key" - }, - "updateEncryptionSchemeDesc": { - "message": "We've changed the encryption scheme to provide better security. Update your encryption key now by entering your master password below." - }, "updateEncryptionKeyWarning": { "message": "After updating your encryption key, you are required to log out and back in to all Bitwarden applications that you are currently using (such as the mobile app or browser extensions). Failure to log out and back in (which downloads your new encryption key) may result in data corruption. We will attempt to log you out automatically, however, it may be delayed." }, "updateEncryptionKeyAccountExportWarning": { "message": "Any account restricted exports you have saved will become invalid." }, + "legacyEncryptionUnsupported": { + "message": "Legacy encryption is no longer supported. Please contact support to recover your account." + }, "subscription": { "message": "Subscription" }, diff --git a/libs/angular/src/auth/guards/lock.guard.spec.ts b/libs/angular/src/auth/guards/lock.guard.spec.ts index ed77f9bdebf..2085e0f3486 100644 --- a/libs/angular/src/auth/guards/lock.guard.spec.ts +++ b/libs/angular/src/auth/guards/lock.guard.spec.ts @@ -79,7 +79,6 @@ describe("lockGuard", () => { { path: "", component: EmptyComponent }, { path: "lock", component: EmptyComponent, canActivate: [lockGuard()] }, { path: "non-lock-route", component: EmptyComponent }, - { path: "migrate-legacy-encryption", component: EmptyComponent }, ]), ], providers: [ @@ -182,18 +181,6 @@ describe("lockGuard", () => { expect(messagingService.send).toHaveBeenCalledWith("logout"); }); - it("should send the user to migrate-legacy-encryption if they are a legacy user on a web client", async () => { - const { router } = setup({ - authStatus: AuthenticationStatus.Locked, - canLock: true, - isLegacyUser: true, - clientType: ClientType.Web, - }); - - await router.navigate(["lock"]); - expect(router.url).toBe("/migrate-legacy-encryption"); - }); - it("should allow navigation to the lock route when device trust is supported, the user has a MP, and the user is coming from the login-initiated page", async () => { const { router } = setup({ authStatus: AuthenticationStatus.Locked, diff --git a/libs/angular/src/auth/guards/lock.guard.ts b/libs/angular/src/auth/guards/lock.guard.ts index 01d03dc718d..4b09ddeee18 100644 --- a/libs/angular/src/auth/guards/lock.guard.ts +++ b/libs/angular/src/auth/guards/lock.guard.ts @@ -11,11 +11,9 @@ import { AccountService } from "@bitwarden/common/auth/abstractions/account.serv import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service"; import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction"; import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status"; -import { ClientType } from "@bitwarden/common/enums"; import { DeviceTrustServiceAbstraction } from "@bitwarden/common/key-management/device-trust/abstractions/device-trust.service.abstraction"; import { VaultTimeoutSettingsService } from "@bitwarden/common/key-management/vault-timeout"; import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service"; -import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; import { KeyService } from "@bitwarden/key-management"; /** @@ -33,7 +31,6 @@ export function lockGuard(): CanActivateFn { const authService = inject(AuthService); const keyService = inject(KeyService); const deviceTrustService = inject(DeviceTrustServiceAbstraction); - const platformUtilService = inject(PlatformUtilsService); const messagingService = inject(MessagingService); const router = inject(Router); const userVerificationService = inject(UserVerificationService); @@ -59,12 +56,7 @@ export function lockGuard(): CanActivateFn { return false; } - // If legacy user on web, redirect to migration page if (await keyService.isLegacyUser()) { - if (platformUtilService.getClientType() === ClientType.Web) { - return router.createUrlTree(["migrate-legacy-encryption"]); - } - // Log out legacy users on other clients messagingService.send("logout"); return false; } diff --git a/libs/auth/src/angular/login/login.component.ts b/libs/auth/src/angular/login/login.component.ts index 8674453cf10..425260ec2e0 100644 --- a/libs/auth/src/angular/login/login.component.ts +++ b/libs/auth/src/angular/login/login.component.ts @@ -282,16 +282,12 @@ export class LoginComponent implements OnInit, OnDestroy { private async handleAuthResult(authResult: AuthResult): Promise { if (authResult.requiresEncryptionKeyMigration) { /* Legacy accounts used the master key to encrypt data. - Migration is required but only performed on Web. */ - if (this.clientType === ClientType.Web) { - await this.router.navigate(["migrate-legacy-encryption"]); - } else { - this.toastService.showToast({ - variant: "error", - title: this.i18nService.t("errorOccured"), - message: this.i18nService.t("encryptionKeyMigrationRequired"), - }); - } + This is now unsupported and requires a downgraded client */ + this.toastService.showToast({ + variant: "error", + title: this.i18nService.t("errorOccured"), + message: this.i18nService.t("legacyEncryptionUnsupported"), + }); return; } diff --git a/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts b/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts index f68c1d34515..1ce0cba5afb 100644 --- a/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts +++ b/libs/auth/src/angular/two-factor-auth/default-two-factor-auth-component.service.ts @@ -1,6 +1,5 @@ import { DuoLaunchAction, - LegacyKeyMigrationAction, TwoFactorAuthComponentService, } from "./two-factor-auth-component.service"; @@ -9,10 +8,6 @@ export class DefaultTwoFactorAuthComponentService implements TwoFactorAuthCompon return false; } - determineLegacyKeyMigrationAction() { - return LegacyKeyMigrationAction.PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING; - } - determineDuoLaunchAction(): DuoLaunchAction { return DuoLaunchAction.DIRECT_LAUNCH; } diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts b/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts index c99722fb8e4..2d2cdba3a10 100644 --- a/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts +++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth-component.service.ts @@ -1,12 +1,5 @@ import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type"; -// FIXME: update to use a const object instead of a typescript enum -// eslint-disable-next-line @bitwarden/platform/no-enums -export enum LegacyKeyMigrationAction { - PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING, - NAVIGATE_TO_MIGRATION_COMPONENT, -} - // FIXME: update to use a const object instead of a typescript enum // eslint-disable-next-line @bitwarden/platform/no-enums export enum DuoLaunchAction { @@ -38,18 +31,6 @@ export abstract class TwoFactorAuthComponentService { */ abstract removePopupWidthExtension?(): void; - /** - * We used to use the user's master key to encrypt their data. We deprecated that approach - * and now use a user key. This method should be called if we detect that the user - * is still using the old master key encryption scheme (server sends down a flag to - * indicate this). This method then determines what action to take based on the client. - * - * We have two possible actions: - * 1. Prevent the user from logging in and show a warning that they need to migrate their key on the web client today. - * 2. Navigate the user to the key migration component on the web client. - */ - abstract determineLegacyKeyMigrationAction(): LegacyKeyMigrationAction; - /** * Optionally closes any single action popouts (extension only). * @returns true if we are in a single action popout and it was closed, false otherwise. diff --git a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts index 57637fe9118..85184283efd 100644 --- a/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts +++ b/libs/auth/src/angular/two-factor-auth/two-factor-auth.component.ts @@ -69,7 +69,6 @@ import { } from "./two-factor-auth-component-cache.service"; import { DuoLaunchAction, - LegacyKeyMigrationAction, TwoFactorAuthComponentService, } from "./two-factor-auth-component.service"; import { @@ -388,22 +387,12 @@ export class TwoFactorAuthComponent implements OnInit, OnDestroy { if (!result.requiresEncryptionKeyMigration) { return false; } - // Migration is forced so prevent login via return - const legacyKeyMigrationAction: LegacyKeyMigrationAction = - this.twoFactorAuthComponentService.determineLegacyKeyMigrationAction(); - switch (legacyKeyMigrationAction) { - case LegacyKeyMigrationAction.NAVIGATE_TO_MIGRATION_COMPONENT: - await this.router.navigate(["migrate-legacy-encryption"]); - break; - case LegacyKeyMigrationAction.PREVENT_LOGIN_AND_SHOW_REQUIRE_MIGRATION_WARNING: - this.toastService.showToast({ - variant: "error", - title: this.i18nService.t("errorOccured"), - message: this.i18nService.t("encryptionKeyMigrationRequired"), - }); - break; - } + this.toastService.showToast({ + variant: "error", + title: this.i18nService.t("errorOccured"), + message: this.i18nService.t("legacyEncryptionUnsupported"), + }); return true; } diff --git a/libs/auth/src/common/login-strategies/login.strategy.ts b/libs/auth/src/common/login-strategies/login.strategy.ts index 6e66d65b654..f1b7d236fb7 100644 --- a/libs/auth/src/common/login-strategies/login.strategy.ts +++ b/libs/auth/src/common/login-strategies/login.strategy.ts @@ -17,7 +17,6 @@ import { IdentityDeviceVerificationResponse } from "@bitwarden/common/auth/model import { IdentityTokenResponse } from "@bitwarden/common/auth/models/response/identity-token.response"; import { IdentityTwoFactorResponse } from "@bitwarden/common/auth/models/response/identity-two-factor.response"; import { BillingAccountProfileStateService } from "@bitwarden/common/billing/abstractions/account/billing-account-profile-state.service"; -import { ClientType } from "@bitwarden/common/enums"; import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service"; import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction"; import { @@ -254,13 +253,10 @@ export abstract class LoginStrategy { protected async processTokenResponse(response: IdentityTokenResponse): Promise { const result = new AuthResult(); - // Old encryption keys must be migrated, but is currently only available on web. - // Other clients shouldn't continue the login process. + // Encryption key migration of legacy users (with no userkey) is not supported anymore if (this.encryptionKeyMigrationRequired(response)) { result.requiresEncryptionKeyMigration = true; - if (this.platformUtilsService.getClientType() !== ClientType.Web) { - return result; - } + return result; } // Must come before setting keys, user key needs email to update additional keys.